OpenLDAP > 2.4.11 sshd[3997]: fatal: login_get_lastlog: Cannot find
account for uid 2000
O. Hartmann
ohartman at zedat.fu-berlin.de
Fri Apr 24 11:56:04 UTC 2009
We run a bunch of FreeBSD boxes, some FreeBSD 7.2, others (most) FreeBSD
8.0-CURRENT (most amd64).
These boxes manage their users via OpenLDAP 2.4.XX. Before we did an
upgrade to OpenLDAP 2.4.15/16, everything was all right. Now, after
nearly all of our OpenLDAP servers has been upgraded to 2.4.16, users
can not log in via ssh onto their hosts for work. Because this is at
this very moment a very small scientific test facility I circumvent
problems by having local accounts the traditional way.
When users try to login on a workstation via ssh the connection gets
closed after they provided their password, sending this error:
sshd[3997]: fatal: login_get_lastlog: Cannot find account for uid 2000
(or whatever UID is provided)
Sshd on server side is configured to use PAM and both pam_ldap and
nss_ldap are installed, up to date, recompiled to match OpenLDAP 2.4.16.
Besides, OpenLDAP 2.4.11/13/14/15.16 uses DB4.7 on our installation.
The funny thing is that this problem occured immediately and
synchronously on all clients and OpenLDAP servers when moved from 2.4.11
to 2.4.16/db47. On the other hand, and also very funny and confusing, I
can enumerate very UID in the home directory, I can su to every user
managed by LDAP, I can 'su' to users, users are able to authenticate
themselves when using SAMBA (also OpenLDAP backed) and autheticate
web-users when accessing restricted pages on our site secured by
OpenLDAP backed authetication (lighttpd). But no one is capable of log
in via ssh!
The situation is very frustrating. I do not see anything suspicious when
tracking OpenLDAP's logs (ACL/stats), nor do I see anythng weird when
looking at sshd's logs. I need help to track down this problem.
When I search the net for the above mentioned specific error message I
got a lot of trouble-reports concerning nss_ldap and sshd, but those
were related to 2003/2005.
Any suggestions?
Thanks in advance,
Oliver
More information about the freebsd-questions
mailing list